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John Mckittrick: There's no way that a high school punk can 
put a dime into a telephone and break into our system! He's 
got to be working with somebody else. He's got to be! 
Wigan: He does fit the profile perfectly. He's intelligent, an 
underachiever, alienated from his parents, has few friends. 
A classic case for recruitment by the Soviets. 
— War Games, 1983 © 2020 Philip Koopman 1 
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= Anti-Patterns for Security Threats 


e Assuming unsophisticated attacks 
e Ignoring operational environment changes 
e Ignoring threats from equipment owner 


= Security Threats: 
e What is the motivation for attacking you? 
e How sophisticated are the attackers? 


— Are they likely to have access to tool support? 


e What's your operational environment? 


000101001010101011010001010010101010110 
010011000100010100010100110091000101000 
010100001010010100110101r~" 

00110100102™~4--5"1070..__ 


PTA TANTQNth 


: > bo ~ “10 
- geile SO, sO bw 
10* 7010, “ap ~ “91000070007 
0010100016.. ~  ~@¢QOTO0TOT00 
0001010010¢ ‘o st OOT0000100 
0001010010 J00101001010101 
0100110007100... ~2z.910011000100010) 
0101000010100... (01%%10100001010017 
00110100100000v.. “10yv1101001000" 
0101001001001001010,"" ““"91007" 
00100101010101011003 y 
0101010000100010011 r 
001010001001010010010 
000101001000010010100b, 
000101001010101011010¢ 
0100110001000101000101/f 
0101000010100101001101 
001101001000000101019 
010100100100100101000% | 
0010010101010101100100 
10101010000100010011101 
00101000100101001001001 
0001010010000100101000C 
10001010010101010110100 
01007T1T000TOO00TOTOOOTOITOL 
0101000010100101001101014 
10011010010000001010T00T11L 
010100100100100101000101001 
10010010101010101100100100106 
10101010000100010011101010100 
0010100010010100100100101000 


wa100 
2001F 
JO0TF 7 


00 VIVDOTCOCOOTOOTOTC0001T01T0010000 1001010 
91001010101011010001010010101010110 
1001000101000101001100010001010001 

y 010100101001101010000101001010011 
™ 0010°°400101""***41010F*0000001010 
SS Ul, 

| —_— 

- 6h hU Be 
Bee ;91€1001001 
» & ali SO07T0010 10 
” “3 AP 10101010110 
m ¥00010001010001 
i _ , -€000101001010011 
Pr OW 
"0 01002%_316510010010010100 
O7170n\9P" 1070101010101100 

0071) .tITt. “9100010011 
100100901tC081.-06101001001 
S1000010" “* WoTd0TeIe 

10100 ‘01010110 

010104 a 01010001 
101023v0001. 4501016911 
01001101001.L0000F .010 
001010010010010010100 
910010010101010101100 
110101010000100010011 
100101000100101001001 
300010100100001001010 
010001010010101010110 
J101001100010001010001 
41101010000101001010011 
101010011010010000001010 
491010001010010010010010100 
41010110010010010101010101100 
/1000 LAs 1D LODAG AOR E RI 

1 0 IMD S.4 1/9900, 940 LEUG 





—- How can they compromise the CIA properties in your particular system? 


{Confidentiality, Integrity, Availability} 
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StuxNet Embedded Controller Attack Unity 


= Specifically designedto m HOW STUXNET WORKED == 











UPDATE FROM SOURCE 






controllers 
e Spread malware via f ) 
USB stick all) (j++ = 
= § Kh = 
é : ; 
Network isolation doesnt 1. infection 2. search 3. update 
stop this Stuxnet enters a system via a USB stick and Stuxnet then checks whether a given lf the system isn't a target, 
proceeds to infect all machines running machine is part of the targeted indus- Stuxnet does nothing; if it is, 
© | nfe ct S i emens Ste p/ Microsoft Windows. By brandishing a digital trial control system made by Siemens. the worm attempts to 
certificate that seems to show that it comes Such systems are deployed in Iran to access the Internet and 
Wi Nn d OWS CO ntrol le r from a reliable company, the worm is able to run high-speed centrifuges that help download a more recent 
evade automated-detection systems. to enrich nuclear fuel. version of itself. 
mana g eme nt Illustration: L-Dopa 
software 


e Step7 then infects 
Siemens PLCs 
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— Monitors Profibus 4. compromise 5. control 6. deceive and destroy 
The worm then compromises the In the beginning, Stuxnet spies on the Meanwhile, it provides false feed- 
(e m b ed d ed n etwo rk) target system's logic controllers, operations of the targeted system. Then it back to outside controllers, ensur- 
r exploiting “zero day” vulnerabilities- uses the information it has gathered to ing that they won't know what's 
— Over-rev of centrifu ge software weaknesses that haven't take control of the centrifuges, making going wrong until it’s too late to do 
been identified by security experts. them spin themselves to failure. anything about it. 


controllers for 
Uranium enrichment http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet ©2020 Philip Koopman 3 
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= Nation-State attacks 
e Political, economic goals 
e Surveillance 


= Criminals 


e It’s about the SSS 


— Ransomware 
— Denial of service 


e Attacks as a service 


= Just for the LoLs 


e Fame, publicity, 
notoriety 


e Revenge 
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RUSSIA NORTH KOREA _ 
TARGETS: Electricity, manufacturing, mining, oil and gas, TARGETS: Light rail and electricity 
railway DEMONSTRATED CAPABILITY: Penetrate 


ICS operator IT networks 
PRIMARY OBJECTIVES: Retaliatory strikes 
against national adversarte 


RISK: Likely to conduct disruptive or 
destructive attacks outside U.S., possible 
disruptive or destructive attacks against 
U.S. ICS operators 


DEMONSTRATED CAPABILITY: Penetrate ICS operator 
IT and OT networks 


PRIMARY OBJECTIVES¢Geopolitically driven disruptio 
and destruction of infrastrret+e 


RISK: Likely to conduct disruptive or destructive attacks 
outside U.S., likely to target U.S. ICS operators, unlikely 
to cause disruption or destruction against U.S. operators 
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CHINA 
TARGETS: Manufacturing, electricity, light 
rail, oll and gas, water and dam 


DEMONSTRATED CAPABILITY: Penetrate 
ICS operator IT and OT networks 


PRIMAR paeelies Traditional 
— To 
he : aS 


Be 
Renee anlikely to cause disruption 
or destruction 


IRAN 


TARGETS: Electricity, water and dam 
DEMONSTRATED CAPABILITY: Penetrate ICS operator 







IT and OT networks 
PRIMARY oh ECTIVES: 
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http://www.boozallen.com/content/dam/boozallen/documents/V1 


ewpoints/2016/06/industrial-cybersecurity-threat-briefing.pdf © 2020 Philip Koopman 4 
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Casual abuser 

e Tries default password, “1234”, etc. 

Script Kiddie 

e Uses tools created by others 

Organized group (criminal, hactivist) 

e Sophisticated, clever attacks, broken crypto 

e Willing to spend weeks/months on an attack 
Nation-State 

e Advanced persistent threat (waiting for an opportunity) 
e Can exploit unpublished vulnerabilities, marginal crypto 
e Willing to spend years on an attack 

Owner 

e Canreverse engineer system to recover secrets 

e Should assume attacker can find out any secrets from a untt they buy 





https://goo.gl/XvEYiW 
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Operational Environment ae 


m How exposed are you to attack? 

e ls your equipment directly on the Internet? 

e ls your wireless network unencrypted? 

e Can anyone buy and reverse engineer your equipment? 
m Network connections? 

e Ethernet, embedded networks, discrete I/O, user interface 
= Data upload/download? _ 








e Firmware or configuration file updates? CERN: ui 
e On-line updates, or do they require manual access to equipment? , 
= Trusted Personnel? 4 


e Do only trusted personnel have access to equipment? 
e Are employees incentivized to attack your system (e.g., due to time pressure)? 
e ls security seen as important, or something that gets in the way? 


© 2020 Philip Koopman 6 


Embedded Internet Attack Vectors Nelo 
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= Internet connectivity Davis Besse Nuclear Power Plant 


e If it’s on the Internet. itig Event: Aug 20, 2003 Slammer worm 
’ infects plant 





being attacked 24x7 Impact: Complete shutdown of digital 

e Fi portion of Safety Parameter Display 
Firewalls are often system (SPDS) and Plant Process 
bypassed or porous Computer (PPC) 


=m Wireless connectivity 


e “Short range” wireless Worm jumped from corporate to plant 


network and found an unpatched 
can be attacked from afar server 


Patch had been available for 6 
months 


site 


= Secure remote (trusted) access 
channels 


Ensure Defense-in-depth 

strategies with appropriate 

procurement requirements 

WA Homeland Critical patches need to be 
Security ehpees 





John Hering from Flexilis, Range of over 1 km is 
with the new BlueSniper Rifle http://www.tomsguide.com/us/how-to-bluesniper-pt1 ,review-408.html © 2020 Philip Koopman 7 


Integrity 


= Data Integrity — data not altered 


e Publish both data and digest of data 
e Receiver checks digest against message 
e If digest does not match, it is corrupted 


m Digest techniques: 


e Checksum/CRC: insecure —accidental only 


e Message Authentication Code: 


symmetric key hash (shared key) 
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An Example of Message Authentication Code 
Algorithm [edit] https://goo.gl/4H1QFY 
MAC | MESSAGE | MAC 


mac] (MaC|-> (-?>« [MAE 


v 
MAC: If the same MAC is found: then 
the message is authentic and 
integrity checked 
Else: something is not right. 


Message Authentication Code 





e Secure Digital Signature: asymmetric key signature (public+private key pair) 
= Authentication: you know who computed the digest 

e Identity implicit in which key was used. MAC can be forged by receiver. 

e PKI provides identity, revocation, non-repudiation 

e Non-repudiation: signer can't say “that wasn't me’ if PKI info is archived 
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Confidentiality cia 


m Secrecy 
e Data can't be understood by others 
e Data can only be read by those who 








S#n? 


know the decryption key : chee 
m Secrecy via encryption 


e Symmetric encryption (shared key) 
— Need to trust receiver with secret key 

e Asymmetric encryption (public + private key pair) 
— Only need to trust PKI to establish identity 


https://goo.gl/1YVuWB 


m@ Privacy 
e Activity can't be associated with an individual 
e Encryption might only be a part of this 


— For example, encryption does not hide who is communicating 
© 2020 Philip Koopman 9 
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LG Smart TV Privacy Issue, Nov 2013 Melis 
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= LG TVs support “Smart Ads” by monitoring your viewing habits 
e Turned off viewing data collection (on by default) 
e But, TV still sent viewing information back to LG servers anyway 
e AND, snooped file names on a USB flash drive and sent them in too 


f OFNOWDY ean - 


== aM Ga BeR bor x. 
= LG Initial Response: "... as you ST ION. : ee 
accepted the Terms and Conditions Be Country: UK 
on your TV, your concerns would be ~ e@e_| * Service Country Setting 
best directed to the retailer. © prams D oollity Assistance 
| Zz + * Standby Light : On 
see, * Set the Universal Control 
= Do you think Netflix Streaming —_— 
monitors your viewing habits? ‘3 a 





e What happens with that info? np a a 


——_ 


https://goo.gl/vV9BZRH © 2020 Philip Koopman 10 


Carnegie 


Availability Ses 


University 





= Services are available when desired aT Ae eh Chinecdit nace eras 
e Denial of Service: attacker hits = augstzz os eos ¢ ou 
system with requests to a Ss 
drain resources ei p. 
— Overload CPU = ae 
- Fill up memory with incompleted =~ a 
transactions omic Q rT 
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- Drain battery on portable system ~*~” aid " 


http://www.digitalattackmap.com/#anim=1 &color=0&country=ALL&list=O0&time=15944&view=map 


e Distributed Denial of Service (DDoS): 
— Coordinated attack from many different IP addresses 
— Often accomplished using a BotNet (multiple “Bot” compromised machines) 
= Feature activation 


e Malicious ability to turn on unpaid features on a pay-per-function system 


e Vendor ability to turn off features on cloned or counterfeit system 
© 2020 Philip Koopman 11 
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Best Practices for Threat Assessment ae 


August 2017: FDA recalls 
465,000 St. Jude pacemakers 





=m Determine what parts of CIA you care about 


| Ss sec recy rea | ly n eceSssa ry? P riva cy? The devices must be given a firmware update to protect them against a set of critical 

° vulnerabilities, first reported by MedSec, which could drain pacemaker battery life, allow 
e nteg rity UuSUa ly m atte Sa lot attackers to change programmed settings, or even change the beats and rhythm of the 
e Does ava | a bi | ity mM atter if S h utd own is safe? ie the FDA issued a security advisory, warning that the pacemakers must be 

recalled -- and as they are embedded within the chests of their users, this requires a trip to 
a As S U mM e St ro Nn g t h re ats the hospital to have the software patch applied. https://goo.gl/NXikaL 

e Tool support for sophisticated attacks Implanted Pacemaker 
e Over time, system might be networked 
e Equipment owner might attack system Incision 


— To recover manufacturer “secrets” 
— To subvert a particular system 


= Pitfalls 
e Assuming naive, un-motivated attackers 
e Incorrectly emphasizing secrecy (encryption) 


Pm, Lead 
(( —— 


Implanted 
Pacemaker 





https://goo.gl/pW2R9 
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HEY, I LOST THE OOH, GOOD QUESTION! A Voice Deepfake Was Used 


I BET WE CAN CONSTRUCT A Cc00xL| To Scam A CEO Out Of 
WHAT 15 IT, AGAIN? PROOF-OF-IDENTIY PROTOCOL. Ii 


START BY PICKING TWO RANDOM— 


On GOOD; ITS You. 


$243,000 


Jesse Damiani Contributor © 
Consumer Tech 
I cover the human side of VR/AR, Blockchain, AI, Startups, & Media. 





4~ No! 





https://xked.com/1121/ 





Anonymous hacker programmer uses a laptop to hack the system in the dark. 


Creation and infection of ... [+] GETTY 


It’s the first noted instance of an artificial 
intelligence-generated voice deepfake used ina 
scam. 


https://www.forbes.com/sites/jessedamiani/2019/0 
9/03/a-voice-deepfake-was-used-to-scam-a-ceo-out- 
of-243000/#5d6e6c512241 


